DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MN: Fairview Health Services and North Memorial Hospital inform patients of breach due to Accretive Health's security #FAIL

Posted on September 28, 2011 by Dissent

Lorna Benson reports:

Fairview and North Memorial Hospitals are notifying more than 16,000 patients that a laptop containing their personal and medical information was stolen.

The laptop belonged to a healthcare services firm that coordinates services for Fairview. The theft occurred on July 25 in the parking lot of a Minneapolis restaurant.

The computer contained the names of 14,000 Fairview patients along with their addresses, dates of birth, some diagnostic information and social security numbers. Approximately 2,800 North Memorial patients were also affected, but the information on the laptop didn’t include their social security numbers or home addresses.

Read more on Minnesota Public Radio. Maura Lerner and Tony Kennedy of the Minneapolis Star Tribune add some additional details, including that Fairview was notified of the breach within days.

Not only was the laptop unencrypted – reportedly  in violation of Accretive’s own policies and procedures – but their employee left the laptop in a car in a restaurant parking lot. Has the employee been fired?  How often does Accretive actually audit laptops to confirm that they are properly encrypted?  Accretive did not respond to requests for additional information about this incident.

I am really on the warpath about data losses due to unencrypted information being left in unattended cars.  This is the second breach report today involving a laptop with unencrypted PHI being stolen from an employee’s car.

When is HHS going to start smacking some of these companies with fines for this type of easily avoidable and ridiculous breach? And if they won’t, will some state attorney general?

Although this breach will cost Accretive, who is footing the costs for free credit monitoring for those affected, there appear to be no long-term consequences for Accretive in terms of its relationship with Fairview:

Fairview’s chief clinical integration officer Dr. Mark Werner said privacy breach will not stop Fairview from exchanging patient information with Accretive Health.

“The sharing of health information is a challenge that we all face. But at the same time we need to continue to grow our capabilities of taking care of our community and our population of patients better and better,” Werner said. “And having committed strategic partners like Accretive I think is appropriate and part of that effort.”

Part of that effort should be auditing your strategic partners to ensure they are complying with your privacy and security clauses in your contract, too, no? Has Fairview done that? Will it do it now?  And why did the data have to leave the premises instead of being remotely accessible to the consultant?

Yes, you are hearing disbelief and frustration.  There is simply too much information needlessly leaving the reservation and more secure environments to be left in employees’ cars.

But that’s just my .02.  Your mileage may vary.

Related posts:

  • July theft of computer with Fairview patient data wasn't the first, Minnesota AG says
  • Senator Franken questions Accretive about allegations raised by Minnesota's Attorney General
  • Attorney General Swanson Sues Accretive Health for Patient Privacy Violations
  • North Memorial Hospital settles HHS charges for $1.55M
Category: Health Data

Post navigation

← UKChatterbox urges password change following hack attack
Ca: 1,500 patients' private info lost →

2 thoughts on “MN: Fairview Health Services and North Memorial Hospital inform patients of breach due to Accretive Health's security #FAIL”

  1. Anonymous says:
    September 28, 2011 at 4:58 pm

    Hm, interesting. I blogged about this story yesterday, using the Star Tribune as my source. I’ve gone back to the Tribune article, and it looks like any references to the laptop being a personal one to the employee have been removed. I know it was there as my own post centered around that particular “fact.”

    1. Anonymous says:
      September 28, 2011 at 6:38 pm

      Yep, I had seen that reference to it being the employee’s laptop, too, although I don’t remember which article I had seen it in. But I realized it had to be company-issued because of the spokesperson’s statements about how due to human error, this laptop hadn’t been encrypted, when it should have been.

      It would be nice if papers didn’t do silent deletes and pointed out where they’ve edited or changed a story.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report